CrossCert : A Cross-Checking Detection Approach to Patch Robustness Certification for Deep Learning Models

Research output: Chapters, Conference Papers, Creative and Literary WorksRGC 32 - Refereed conference paper (with host publication)peer-review

View graph of relations

Related Research Unit(s)

Detail(s)

Original languageEnglish
Title of host publicationThe ACM International Conference on the Foundations of Software Engineering (FSE) 2024
PublisherAssociation for Computing Machinery
Number of pages23
Publication statusAccepted/In press/Filed - 15 Apr 2024

Conference

Title32nd ACM International Conference on the Foundations of Software Engineering (FSE 2024)
Location
PlaceBrazil
CityPorto de Galinhas
Period15 - 19 July 2024

Abstract

Patch robustness certification is an emerging kind of defense technique for deep learning models. It aims to enhance the reliability of these models against adversarial patch attacks with provable guarantees. There are two research lines: certified recovery and certified detection. They aim to correctly label malicious samples with provable guarantees and issue warnings for malicious samples predicted to non-benign labels with provable guarantees, respectively. However, existing certified detection defenders suffer from producing labels subject to manipulation, and existing certified recovery defenders cannot warn samples about their labels. A certified defense that simultaneously offers robust labels and systematic warning protection against patch attacks is desirable. This paper proposes a novel certified defense technique called CrossCertCrossCert formulates a novel approach by cross-checking two certified recovery defenders to provide unwavering certification and detection certification. Unwavering certification ensures that a certified sample, when subjected to a patched perturbation, will always be returned with a benign label without triggering any warnings with a provable guarantee. To our knowledge, CrossCert is the first certified detection technique to offer this guarantee. Our experiments show that, with a slightly lower performance than ViP and a comparable performance with PatchCensor in terms of detection certification, CrossCert certifies a significant proportion of samples with the guarantee of unwavering certification.

Research Area(s)

  • Certification, Verification, Deep Learning Model, Certified Robustness, Patch Robustness, Worst-Case Analysis, Security

Bibliographic Note

Since this conference is yet to commence, the information for this record is subject to revision. Information for this record is supplemented by the author(s) concerned.

Citation Format(s)

CrossCert: A Cross-Checking Detection Approach to Patch Robustness Certification for Deep Learning Models. / ZHOU, Qilin; WEI, Zhengyuan; WANG, Haipeng et al.
The ACM International Conference on the Foundations of Software Engineering (FSE) 2024. Association for Computing Machinery, 2024.

Research output: Chapters, Conference Papers, Creative and Literary WorksRGC 32 - Refereed conference paper (with host publication)peer-review